Poor identity, access and credential management is the biggest cybersecurity challenge for cloud computing, after the shift to remote working has redefined the workplace and changed priorities around the use of cloud applications and services, warns new research.
According to a survey of 700 industry experts on security issues in the cloud industry carried out by the Cloud Security Alliance, a not-for-profit that promotes best practices for cloud computing, insufficient identity, credential, access and key management for privileged accounts is a top concern around cloud cybersecurity.
The shift towards remote and hybrid working has changed how businesses and employees operate, no longer accessing office applications and productivity suites installed on their PCs at the office, but rather accessing the tools they need through software-as-a-service and cloud-based productivity suites – from any device, no matter where they are.
That shift means managing access to resources and files is vital, especially when administrator or other high-level privilege access is required. But organisations are struggling to achieve this, particularly as many end users are now situated outside the company firewalls and traditional protections.
But it isn't just cyber attackers from outside the company who can take advantage of misconfigured identity, access and credential management, if it isn't managed properly. It's also possible for these issues to be exploited by insider threats – employees who can exploit the lack of controls to escalate their access privileges and gain access to data they shouldn't be able to.
They could be doing this just because they can, taking it with them to a rival company, or putting it up for sale to cyber criminals to exploit.
While gaining access to login credentials for cloud accounts is an increasingly common technique used in cyberattacks, in some cases, the attacker doesn't need a username or a password at all, because data stored in the cloud is being left exposed and is accessible to anyone who knows where to look.
The report also warns against some other common cloud security flaws, including:
Insecure interfaces and APIs
Misconfiguration and inadequate change control
Lack of cloud security architecture and strategy
Insecure software development
In order to improve identity and access management controls, the report recommends organisations implement a zero-trust model of cybersecurity, requiring validation at every stage of the user's journey through the cloud environment, preventing them from using one set of credentials to gain access to things they don't need to.